We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

vNick
ServiceNow Employee

**** As of September 2023, this blog is obsolete as the data model became GA ****

 

**** INNOVATION LAB RELEASE ****

This article applies to an innovation lab release, the details of the data model described in this article are subject to change prior to going general availability.

 

A new application named "Service Graph Connector for Kong" has been introduced on the innovation lab.  The initial release of this app only contains a new CMDB data model which will facilitate future service graph connectors for populating the model.  In the release there are no integration components included which populate the model.  Once we have vetted the data model with customers, we will move the classes to the standard "CMDB CI Class Model" application on the store to be used in production instances.  In v0.2 of the SGC for Kong we will introduce the actual integration components for populating the data model from Kong Gateways.

 

Let's first understand the data model.

 

Core Data Model

 

To begin, look at the two new classes below.

vNickNOW_0-1682082941545.png

Core of the new API data model

 

If you are familiar with the OpenAPI specification, then some of the terminology used in this article will be familiar.  Otherwise, I will elaborate where possible.  The API (cmdb_ci_api) is designed to store information about the top level API like name, version, and base URL.  the API Component (cmdb_ci_api_component) is designed to represent the various resources of the API.  These will include unique method and path combinations, varying authentication requirements, ports used, and more.

 

An example of how this might look can come directly from ServiceNow if we look at the REST API Explorer.

 

vNickNOW_0-1682343480407.png

ServiceNow Example

 

In this example, we are looking at the CMDB Instance API which would presumably be stored in the base API class (cmdb_ci_api).  The various resources below that like "GET Query records for a CMDB class" would represent the different API components (cmdb_ci_api_component) related to the API.

 

Expanding the Data Model to API Gateways

 

In addition to these two new classes, there are a number of classes surrounding these two which will be used when populating from API Gateway sources.  Expanding on the core model, we continue to build out the data model as follows:

vNickNOW_0-1682088410077.png

Expanded data model for API Gateway data

 

A couple of initial points to notice are that the API class now has a new child class named "Managed API" (cmdb_ci_managed_api).  This class has a dependency on the API Gateway class which the core API class does not have.  Likewise, the API Component class has two new child classes, API Frontend (cmdb_ci_api_frontend) and API Backend (cmdb_ci_api_backend).  These two new child classes are used to store common components found in API Gateways which represent the client facing frontend (request) endpoint and the request fulfilling backend service which provides the response.

 

We can look at an example of this using the Azure API Management service.

 

vNickNOW_0-1682612287461.png

Azure API Management Service example

 

While the table "cmdb_ci_azure_gateway" does not currently exist, hopefully you can extrapolate how this will look in the future with that being a child class of the API Gateway class introduced in this new data model.  In the picture of the Azure API Management service, you can see a number of APIs.  When choosing the "Echo API" we see what Azure calls the various operations of the API.  These are what we will normalize into the data model as API Components.  However, we will not store them in that parent class, but use the additional data of this gateway to populate the API Frontend class with the "frontend" values like "POST /resource" and the API Backend class with the "backend" values like "http://echoapi.cloudapp.net/api" and related data about that resource.

 

We do not plan to replicate everything in the gateway into the ServiceNow CMDB, but rather, our intent is to capture the relevant data for achieving outcomes in the following use cases.

 

Use cases

 

Security Operations and Vulnerability Management: Being able to associate security incident or vulnerabilities with APIs can offer new insights and faster responses to one of the fastest growing attack surfaces in organizations today.

 

AIOps / ITOM Health:  APIs are now part of monitoring and observability solutions.  Being able to understand the health and/or outages of APIs is critical to keeping applications and services running.

 

Change Management: The availability of APIs within the CMDB provide a way of tracking major and minor changes to APIs in the same way as other organization technology assets.  This can help IT operators identify root causes faster when outages occur.

 

APIOps:  The emerging practice of APIOps brings together DevOps with GitOps to facilitate the full lifecycle of APIs.  Having this data within the CMDB gives multiple stakeholders the visibility of such assets in their workflows.

 

Example Data to Test

 

Using the ServiceNow example API above, this is how the data could be entered into the API (cmdb_ci_api) and API Component (cmdb_ci_api_component) classes, which are the two main classes to test during this innovation lab release period.

 

vNickNOW_1-1682624557524.png

API Example Data

 

Once the API is defined, the components can be added and related to the API.  Here is an example of one component that is related to the API.

 

vNickNOW_2-1682624694961.png

Example API Component Related to API

 

Once you have the components of the API defined, you should be able to see a dependency view similar to the following.

 

vNickNOW_3-1682624835645.png

Example dependency view

 

From this point, alerts can be bound to these CI's, dynamic CI groups could be created for service views, incidents and changes can be created against the CIs, vulnerable items can be filed, and any other workflow where you use CIs.

 

Placement of the API Class

 

Some customers may be asking why are we creating the new API class directly from the base cmdb_ci class.  The answer is that the conclusion to do so was made after multiple alternatives were considered.  First, the endpoint hierarchy was considered and more specifically the http endpoint class.  This was abandoned due to the hierarchies tight connection to service mapping and impact it would have on that capability.  Similarly, endpoints do not show on dependency views or service maps and we want customers to be able to visualize the APIs in the environment.  

 

Secondly, the application service hierarchy was considered.  Again, the hierarchy for app services was initially introduced by the service mapping team and there is considerable logic behind all records in that hierarchy including the continual evaluation of impact rules for each and every application service.  When loading 100's, 1000's, or event 10's of 1000's of APIs into that hierarchy, there was adverse behavior and visualization in the system.

 

Finally, a new service type was considered directly under the Service class (basically being a sibling to the application service hierarchy).  This approach met challenges with other product lines which would have to be modified to account for a new service type as they currently only perform against the existing three service types.

 

For these reasons we have extended directly from the cmdb_ci class to offer the most flexibility without impacting other product lines existing functionality.

 

How to Access and Provide Feedback

 

The innovation lab application is currently "hidden" and only available upon approval.  If your organization is in a position to load the new API data model detailed above in a sub production instance and populate the data given the concepts above, and can provide feedback on how it is working in certain process flows, please let me know.

 

Some initial issues to note are that we already plan to expand the width of the "ID" attributes on the classes as well as the "path" attributes as they are currently limited to 40 characters.

15 Comments
Philip Clarke
Tera Explorer

Really useful document, thanks for sharing.

 

Couple of questions.....

 

1. What tool do you use to automatically discover the data and populate into Service Now?

2. Would you also look to put a relationship between an Application Service and the CMDB Instance API? 

Fred Jonkhart
Tera Contributor

I see some fundamental issues with the above approach. An API is a contract / definition and has no instances. A single API is mostly implemented by multiple configuration items, such as having a deployment on an API Gateway, having a service with business logic and having a database that provides the data. In case of for instance Apigee there are so called API Proxies, the deployment units on an Apigee gateway. Such an API proxy is not the same as the API since itself provides no business logical and no data. The API's implementation is never complete with the an API proxy alone.

APIs should be managed an independent items, independent from implementations/instances. They should be managed as a design items. APIs are part of APM and are covered by the new Digital Integration Management product, where you can define Digital Interface items, which have a broader use the REST APIs only (https://docs.servicenow.com/en-US/bundle/utah-application-portfolio-management/page/product/applicat...).

From an API value stream perspective it is unfortunate that these capabilities are offered in different ServiceNow products.

SteveMacWWT
Kilo Sage

@Fred Jonkhart I get where you're coming from on this, but there also needs to be an operational representation for APIs as well. Without that operational view, there is no way to log Incidents / Problems / Changes against the CIs and see the broader impact that those have.


Right now, as the article talks about, at our company we are 'forcing' these into App Services as that is the closest / best place we can find for them. I know that my customers in the integrations area will be quite pleased when we can put this in place. 


And the API CIs are not meant to represent the whole infrastructure beneath it; just like Application Services represent an instance of Business Application (again the Design and Operational views of the same object), the underlying infrastructure is represented by itself. 

 

Note that I use 'infrastructure' in a very loose definition representing all the other objects that support an App Service or API. 

glennguzzo
ServiceNow Employee

How would we link these API CI's to discovered CI's such as Azure PaaS Web Servers in 'cmdb_ci_cloud_webserver' (extended from cmdb_ci_appl) which have FQDNs and many of the constructs that we need to understand its operations, e.g. subscription, state & ip address?  Would we be expected to reference/relate this to the API and/or API component classes?

Fred Jonkhart
Tera Contributor

@SteveMacWWT ,

Personally I see do not consider the use of App Service forcing anything. It is then exactly used how it supposed to be used, representing an instance of a Business Application. What I see people do is conflate API and Service (as in SOA Service, micro-service, etc). If this solution is to satisfy this conflation I strongly object against it.

 

The use cases include different statement that indicate this conflation. For instance 'outages of APIs' which I would call 'outage of services'. Or talking about vulnerabilities. An API has no programming code, a service has.

 

Unfortunately, the IT industry is very imprecise in its terminology and this conflation will not help.

 

A valid reason could be that a service implements more then one API and you want to be able to distinct these. But I do not see this mentioned in the use cases. And even then I would avoid API but would favor 'port' as in UML Component modelling. The latter is unfortunately hardly adopted.

 

Other reasons not to go into this path; 1) external standard defined APIs that are implemented by different software vendors, multiple home-grown services that implement one and the same API (polymorphism).

vNick
ServiceNow Employee

@Fred Jonkhart  and @SteveMacWWT  - great conversation and there is validity in both arguments.  There are a number of challenges to introducing this model and could be multiple solutions (as noted in the "Placement of the API Class" section above).  

 

In the end, we are trying to create a normalized data model due to many varying implementations and terminology in the market as noted by Fred.  The sources we plan to populate the data from do not offer insights into the underlying infrastructure running the service, which is another reason (in addition to those noted in the placement section) we didn't go the application service route.  

 

We can envision a day in the future where there are processes in place to try to perform some "matching" to infrastructure, or other classes as noted by @glennguzzo, but at this point in time, the data sources we have analyzed typically do not provide enough information to satisfy identification rules for doing such lookups.  We also do not want to create a dependency where that information has to be in CMDB before an API can be loaded.

 

The intent of the model is in fact to represent an operational view of an API versus the design view offered by APMs digital integration app, and given the constraints of most data sources containing operational APIs (gateways, observability / monitoring tools, CASB tools, vulnerability scanning tools, etc), we deemed it necessary to make the model independent of all existing hierarchies.

 

Thanks for your feedback and thoughts on the model.

Eric Maynard
Tera Contributor

I would represent APIs as Technical Service Offerings. An API is a service provided by some technology component to some other technology component - it has an SLA, importance, ownership, support, KPIs, potentially a cost model, relates to capabilities, etc.

I'm fine with there being a physical representation of the components supporting the API in the CMDB, but I think the solution to APIs should be made more internally consistent with the existing data model than what is being proposed here.

Fred Jonkhart
Tera Contributor

@ericw , It is not either an application service or a TSO, but probably both. The Application Service representing one or more technical components implementing the 'logical service' that exposes the API. The TSO to capture the service levels / contract side of things.
You can even imagine different offerings for different type of consumers, while the technical side of things stays the same.
This would be in line with the Open Group IT4IT Digital Product vision that separates technique (system) from service interaction and service offer.
(See: https://pubs.opengroup.org/it4it/3.0/snapshot/Digital_Product.html)

Joel L
ServiceNow Employee

@Fred Jonkhart i try to understand this part in one of your comments: 

"... An API has no programming code, a service has. ... "

Can you elaborate a bit on that?

I am trying to understand your angle here.

What is your derived difference then in outcomes?

Fred Jonkhart
Tera Contributor

@Joel L , This is how I look at it.
An interface is a design level contract between a producer of product A and the engineers that design and build a product B that connects with product A.
In case of an API it is a contract between developers/programmers. Assuming a remote API, it is the contract between developers of one or more consuming applications and the developers of a service providing application (e.g. a service when talking SOA or micro-service architecture). The developers of the service providing application implement the contract using some programming language. 

 

Potentially a application/service can implement multiple APIs.

Potentially a application/service can implement multiple versions of the same API.

Potentially there can be competing applications/services that implement one and the same API.

 

At run-time the only thing that matters is the deployed version of the application/service. There is no independent run-time API object.

 

My point is that calling a service providing application 'an API' is conflating terms, which further complicates communication in IT. We should clearly distinct the following:

  1. an API specification / contract (version specific),
  2. application / service definition that implements (1) (version specific) 
  3. the run-time instance, a deployment of (2)

I hope this makes sense.